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ABSTRACT 

The  problem  of  localizing  in-band  wormhole  tunnels  in  MAN¬ 
ETs  is  considered.  In  an  in-band  wormhole  attack,  colluding 
attackers  use  a  covert  tunnel  to  create  the  illusion  that  two 
remote  network  regions  are  directly  connected.  This  ap¬ 
parent  shortcut  in  the  topology  attracts  traffic  which  the 
attackers  can  then  control. 

To  identify  the  nodes  participating  in  the  attack,  it  is  nec¬ 
essary  to  determine  the  path  through  which  victims’  traffic 
is  covertly  tunneled.  This  paper  begins  with  binary  hypoth¬ 
esis  testing,  which  tests  whether  a  suspected  path  is  carrying 
tunneled  traffic.  The  detection  algorithm  is  presented  and 
evaluated  using  synthetic  voice  over  IP  (VoIP)  traffic  gener¬ 
ated  in  a  network  testbed.  After  that,  we  consider  multiple 
hypothesis  testing  to  find  the  most  likely  tunnel  path  among 
a  large  number  of  candidates.  We  present  a  tunnel  path  esti¬ 
mation  algorithm  and  its  numerical  evaluation  using  Poisson 
traffic.  A  main  feature  of  the  proposed  algorithms  is  their 
robustness  against  the  presence  of  chaff  packets  (possibly 
introduced  to  avoid  detection),  packet  loss  caused  by  unre¬ 
liable  wireless  links,  and  clock  skew  at  different  nodes. 

Categories  and  Subject  Descriptors 

C.2.0  [Computer-Communication  Networks]:  General — 
Security  and  protection  (e.g.,  firewalls) 

General  Terms 

Security 

Work  in  this  paper  was  prepared  through  collaborative 
participation  in  the  Communications  and  Networks  Consor¬ 
tium  sponsored  by  the  U.  S.  Army  Research  Laboratory 
under  the  Collaborative  Technology  Alliance  Program,  Co¬ 
operative  Agreement  DAAD19-01-2-  0011,  and  was  spon¬ 
sored  in  part  by  National  Science  Foundation  under  Con¬ 
tract  CCF-0635070  and  Army  Research  Office  MURI  Pro¬ 
gram  under  award  W911NF-08-1-0238.  The  first  author  was 
partially  supported  by  Samsung  Scholarship.  The  U.  S.  Gov¬ 
ernment  is  authorized  to  reproduce  and  distribute  reprints 
for  Government  purposes  notwithstanding  any  copyright  no¬ 
tation  thereon. 


Copyright  2010  Association  for  Computing  Machinery.  ACM  acknowl¬ 
edges  that  this  contribution  was  authored  or  co-authored  by  an  employee, 
contractor  or  affiliate  of  the  U.S.  Government.  As  such,  the  Government  re¬ 
tains  a  nonexclusive,  royalty-free  right  to  publish  or  reproduce  this  article, 
or  to  allow  others  to  do  so,  for  Government  purposes  only. 

WiSec’10,  March  22-24,  2010,  Hoboken,  New  Jersey,  USA. 

Copyright  2010  ACM  978-1-60558-923-7/10/03  ...$10.00. 


1.  INTRODUCTION 

Mobile  ad  hoc  networks  (MANETs)  rely  on  cooperative 
routing  protocols  in  which  ordinary  nodes  work  together 
to  form  appropriate  routes  and  forward  traffic  along  them. 
The  dynamic  nature  of  the  network  topology  mandates  that 
routes  be  discovered  and  maintained  continuously.  A  funda¬ 
mental  security  issue  is  that  a  small  number  of  compromised 
nodes  may  be  able  to  manipulate  these  protocols  to  disrupt 
traffic  throughout  the  network. 

An  example  is  the  in-band  wormhole  attack  [19],  in  which 
colluding  nodes  create  the  illusion  that  two  remote  regions 
are  directly  connected  via  a  single-hop  shortcut  referred  to 
as  the  wormhole  link.  The  apparent  shortcut  undermines 
routing  calculations  and  allows  the  attackers  to  attract  and 
control  traffic  that  would  not  flow  through  them  otherwise. 
If  optimally  positioned,  the  attackers  may  be  able  to  attract 
and  control  a  large  fraction  of  the  network’s  traffic. 

The  wormhole  attack  requires  two  attacking  nodes  to  serve 
as  a  pair  of  endpoints  of  the  wormhole  tunnel,  and  they 
covertly  tunnel  traffic  between  the  regions  by  exploiting  other 
unsuspecting  nodes  as  traffic  forwarders.  The  attack  typ¬ 
ically  requires  one  or  more  colluding  attackers  that  serve 
as  application-layer  waypoints  along  the  tunnel  path  [19]. 
These  waypoints  stabilize  the  tunnel  by  breaking  the  tunnel 
path  into  segments  each  having  a  route  that  is  short  enough 
to  be  unaffected  by  the  presence  of  the  wormhole  link.  See 
Section  2.1  for  the  discussion  of  a  specific  example. 

In  this  paper,  we  consider  the  problem  of  localizing  (z.e., 
identifying)  the  covert  tunnel  path  based  on  packet  timing 
information  as  a  means  of  identifying  the  attacking  nodes, 
especially  those  that  serve  as  tunnel  waypoints.  We  assume 
that  one  or  more  of  the  victim  nodes  suspect  the  presence 
of  a  wormhole,  and  thus  initiate  a  sequence  of  tests  to  lo¬ 
calize  the  tunnel.  This  process,  described  below,  is  based 
on  the  premise  that  if  the  forwarded  traffic  has  delay  con¬ 
straints  ( e.g .,  VoIP  and  other  time  sensitive  applications), 
then  transmission  times  at  nodes  along  the  tunnel  path  ex¬ 
hibit  strong  temporal  correlations,  which  allow  the  detection 
of  the  presence  of  tunneled  traffic. 

The  use  of  timing  information  does  not  need  to  be  ex¬ 
clusive  in  practice;  there  may  be  other  sources  of  evidence 
( e.g .,  the  knowledge  of  packet  headers)  that  can  be  incor¬ 
porated  to  enhance  the  localization  performance.  In  this 
paper,  however,  we  will  focus  entirely  on  a  timing  based  ap¬ 
proach,  motivated  by  the  need  to  understand  the  value  of 
timing  in  detection  and  the  fact  that  packet  headers  and 
other  auxiliary  information  may  be  unavailable  due  to  the 
encryption  of  forwarded  traffic. 
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1.1  Summary  of  Contribution  and  Limitations 

This  paper  presents  timing-based  algorithms  for  localizing 
in-band  wormhole  tunnels  in  MANETs.  To  our  best  knowl¬ 
edge,  the  proposed  approach  is  the  first  directed  at  identify¬ 
ing  covert  tunnels  in  their  entirety,  including  the  colluding 
relay  nodes  that  are  required  to  prevent  wormhole  tunnels 
from  collapsing  [19].  Furthermore,  it  is  applicable  to  both 
the  self-contained  and  extended  in-band  wormholes  [19]. 

As  the  simplest  case,  we  first  present  a  detection  algo¬ 
rithm  aimed  at  determining  whether  a  suspected  path  is  the 
true  tunnel  path.  This  detector  has  its  origin  in  [15]  but  in¬ 
cludes  a  nontrivial  extension  to  deal  with  clock  skew  present 
in  MANETs.  Then,  we  present  a  path  estimation  algorithm 
aimed  to  find  the  most  likely  tunnel  path  among  a  large  num¬ 
ber  of  candidates.  The  proposed  algorithms  are  intended  to 
be  used  in  conjunction  with  other  existing  techniques  that 
detect  the  likely  presence  of  a  wormhole  attack  and  identify 
the  endpoints  of  the  suspected  wormhole  link.  Our  algo¬ 
rithms  are  intended  to  validate  such  suspicion  and  identify 
the  correct  tunnel  path  if  an  attack  is  present.  We  describe 
a  simple  conceptual  model  of  how  these  components  can  be 
integrated  into  a  tunnel  localization  system.  The  proposed 
algorithms  are  evaluated  using  synthetic  VoIP  traffic  gener¬ 
ated  in  a  network  testbed  and  Poisson  traffic,  and  the  results 
are  quite  promising.  Both  algorithms  have  linear  complexity 
with  respect  to  the  number  of  samples  used. 

The  proposed  algorithms  are  robust  against  various  prac¬ 
tical  networking  uncertainties,  especially  the  presence  of  tim¬ 
ing  jitter  and  chaff  packet  transmissions.  The  algorithms 
are  non-parametric  in  the  sense  that  they  do  not  require  the 
knowledge  of  probability  distributions  of  the  timing  obser¬ 
vations  although  some  of  the  analytical  results  (Theorem  1) 
and  the  numerical  results  are  obtained  under  specific  prob¬ 
abilistic  models.  Indeed,  the  synthetic  VoIP  traffic,  used  for 
evaluation,  is  generated  from  a  practical  emulation  system 
that  implements  a  suite  of  realistic  networking  protocols. 

The  main  limitation  of  the  proposed  algorithms  is  the  re¬ 
quirement  of  persistent  measurements  and  the  timing  con¬ 
straints.  In  particular,  our  algorithms  apply  to  those  scenar¬ 
ios  in  which  a  relatively  long  sequence  (from  100s  to  1000s) 
of  packets  is  passed  through  a  wormhole  tunnel,  and  each 
packet  is  subject  to  a  delay  constraint  at  forwarding  nodes. 
Such  limitations  make  the  technique  appropriate  for  time 
sensitive  applications  such  as  VoIP,  but  may  not  be  appli¬ 
cable  for  the  detection  of  tunneling  of  individual  packets. 

The  use  of  timing  alone  also  limits  the  localization  per¬ 
formance,  which  was  discussed  in  [15].  Specifically,  the  flow 
tunneled  through  the  wormhole  has  to  be  sufficiently  strong. 
In  other  words,  a  timing-based  localization  scheme  can  be 
defeated  if  the  attacker  artificially  inserts  a  large  enough 
number  of  dummy  (chaff)  transmissions.  However,  this  may 
not  be  a  severe  limitation  because  the  attacker  may  not  have 
control  of  all  nodes  in  the  tunnel,  and  the  transmission  of  a 
large  number  of  dummy  packets  may  reveal  the  presence  of 
an  attack. 

1.2  Related  Work 

Most  existing  techniques  for  detecting  wormhole  attacks 
in  MANETs  concern  out-of-band  wormholes,  in  which  at¬ 
tackers  connect  the  purported  neighbors  via  an  extra  RF 
channel  or  wireline  network  not  accessible  to  other  nodes. 
These  attacks  do  not  utilize  covert  tunnels.  The  concept 
of  an  out-of-band  wormhole  in  ad  hoc  networks  was  intro¬ 


duced  by  Hu  [17],  who  outlines  temporal  and  geographic 
countermeasures  designed  to  detect  the  remote  forwarding 
of  packets.  Hu  describes  packet  leashes,  which  attempt  to 
restrict  the  maximum  transmission  distance  of  a  packet.  In 
this  scheme,  packets  that  arrive  through  wormhole  paths 
will  be  received  outside  a  tightly  synchronized  time  window 
and  can  be  treated  by  the  recipient  as  invalid.  Other  dis¬ 
tance  bounding  approaches  for  out-of-band  wormholes  are 
described  by  Lazos  [20],  Khalil  [18],  and  Adjih  [5].  Buttyan 
[9]  proposes  techniques  for  detecting  out-of-band  wormholes 
based  on  statistical  changes  to  neighbor  hop  counts  and  path 
lengths.  Gorlatova  [13]  describes  the  detection  of  out-of- 
band  wormholes  in  an  OLSR  network  [10]  by  analyzing  the 
power  spectral  density  of  periodic  HELLO  messages  received 
from  neighboring  nodes.  If  the  HELLOs  have  arrived  via  a 
wormhole,  the  associated  delay,  even  if  quite  small,  is  said 
to  smear  the  HELLO  message  time  series.  Awerbuch  [6,  7] 
proposes  the  On-Demand  Secure  Byzantine  Routing  proto¬ 
col  (ODSBR),  and  describes  its  ability  to  defend  against 
various  attacks,  including  out-of-band  wormholes.  ODSBR 
mechanisms  do  not  detect  wormholes  per  se;  instead  they 
detect  packet  dropping  that  has  been  applied  to  traffic  trav¬ 
eling  through  wormholes. 

Research  concerning  in-band  wormholes  has  focused  on 
identifying  attacking  nodes  at  tunnel  endpoints.  In-band 
wormhole  attacks  were  first  described  in  detail  by  Kruus 
[19].  Kruus  proposes  detecting  these  attacks  and  identi¬ 
fying  attackers  at  wormhole  tunnel  endpoints  by  collect¬ 
ing  roundtrip  packet  loss  and  delay  measurements  for  short 
paths  throughout  the  network  and  regionally  correlating  those 
measurements  that  are  unexpectedly  high.  Sterne  [22]  ex¬ 
tends  this  approach  by  using  opportunistic  voting  to  counter 
the  threat  that  Byzantine  nodes  may  deliberately  introduce 
path  measurement  errors  that  act  as  false  accusations  against 
honest  nodes.  Zheng  [25]  also  examines  the  detection  of 
in-band  wormholes  by  collection  of  round  trip  delay  mea¬ 
surements  but  applies  more  elaborate  statistical  analysis 
techniques  to  these  measurements  to  distinguish  wormhole- 
induced  delays  from  network  congestion.  Unlike  our  tech¬ 
niques,  none  of  these  identifies  colluding  relay  nodes.  Fur¬ 
thermore,  these  techniques  are  primarily  applicable  to  the 
self-contained  form  of  in-band  wormhole  (see  Section  2.1). 

The  mathematical  techniques  adopted  in  this  paper  be¬ 
long  to  the  family  of  traffic  analysis  [12]  aimed  at  draw¬ 
ing  inference  from  timing  patterns.  The  genesis  of  our  ap¬ 
proach  may  be  traced  to  the  seminal  work  by  Donoho  et. 
al.  [11]  where  the  authors  provided  insights  into  the  use  of 
timing  information  to  detect  stepping  stone  attacks.  It  is 
Blum,  Song,  and  Venkataraman  [8]  who  provided  a  mathe¬ 
matically  rigorous  approach  to  the  detection  of  a  sequence 
of  packets  subject  to  delay  constraints.  Their  approach  is 
later  generalized  by  He  and  Tong  [14-16]  to  deal  with  the 
presence  of  chaff  in  the  timing  measurements.  The  mathe¬ 
matical  theory  behind  the  detection  of  information  flow  was 
presented  in  [15]  where  the  fundamental  limits  of  flow  detec¬ 
tion  using  timing  measurements  and  the  forms  of  detectors 
are  presented.  Motivated  by  [15],  this  paper  provides  spe¬ 
cific  implementations  for  the  wormhole  tunnel  localization 
in  practical  MANETs,  including  a  new  technique  to  deal 
with  synchronization  and  the  tunnel  path  estimation  algo¬ 
rithm.  Another  relevant  technique  is  the  use  of  the  concept 
of  water  marking  by  Wang  and  Reeves.  See  [23]  and  ref¬ 
erences  therein.  Such  techniques  are  vulnerable  when  the 
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Figure  1:  Self-contained  In-Band  Wormhole 


adversary  can  significantly  perturb  the  timing  information, 
as  it  is  possible  in  this  case. 

1.3  Organization 

This  paper  is  organized  as  follows.  In  Section  2,  we  in¬ 
troduce  the  attack  model,  the  main  assumptions  adopted 
in  this  paper,  the  wormhole  tunnel  localization  system,  and 
the  mathematical  model  of  a  wormhole  attack.  In  Section  3, 
we  introduce  the  algorithm  aimed  at  determining  whether  a 
suspected  path  is  the  true  tunnel  path,  and  present  analyti¬ 
cal  and  experimental  results.  Section  4  proposes  the  tunnel 
path  estimation  algorithm,  which  finds  the  most  likely  tun¬ 
nel  path  among  a  large  number  of  candidates,  and  presents 
its  numerical  evaluation.  Section  5  contains  discussion  about 
the  results  and  possible  future  work.  Section  6  concludes  the 
paper  with  remarks  on  its  contributions. 

2.  WORMHOLE  ATTACK  AND 
LOCALIZATION  SYSTEM 

2.1  An  Example  of  a  Wormhole  Attack 

An  example  of  a  self-contained  in-band  wormhole  in  a 
48-node  MANET  that  uses  the  OLSR  routing  protocol  is 
shown  in  Fig.  1.  This  attack  involves  four  attacking  nodes 
positioned  in  a  roughly  rectangular  arrangement  around  the 
periphery  of  the  network.  These  nodes,  101,  102,  103,  and 
105,  are  highlighted  in  the  figure  by  four  small  surround¬ 
ing  squares.  The  wormhole  link  created  by  the  attack  (the 
illusory  shortcut)  is  shown  as  a  dashed  blue  straight  line 
between  attacking  nodes  102  and  105  near  the  top  of  the 
figure.  The  wormhole  tunnel  path  is  shown  in  the  figure  as 
a  dotted  red  line  connecting  four  attacking  nodes.  To  make 
it  appear  that  nodes  102  and  105  are  directly  connected, 
102  covertly  sends  into  the  tunnel  copies  of  all  of  its  out¬ 
going  one-hop  packets,  including  OLSR  HELLO  (neighbor 
sensing)  messages,  other  broadcast  packets,  and  forwarded 
packets  sent  to  102’s  layer  2  address.  This  allows  such  pack¬ 
ets  to  reach  node  105  despite  the  fact  that  105  is  more  than 
one  hop  from  102.  Node  105  similarly  copies  into  the  tun¬ 
nel  outbound  one-hop  packets  that  would  reach  102  if  these 
two  nodes  were  directly  connected.  This  creates  the  illusion 
that  nodes  102  and  105  are  directly  connected  and  causes 
many  nodes  on  the  left  and  right  sides  of  the  figure  to  believe 
that  the  shortest  path  to  the  opposite  side  of  the  network 
is  via  nodes  102  and  105,  and  to  route  their  traffic  to  those 
attacking  nodes  for  forwarding. 


Attacker  nodes  101  and  103,  at  the  bottom  left  and  bot¬ 
tom  right,  serve  as  the  application- layer  waypoints  needed 
to  stabilize  routing  through  the  tunnel,  as  mentioned  above. 
When  node  102  sends  a  packet  into  the  tunnel,  it  encap¬ 
sulates  the  packet  and  sends  it  through  a  tunnel  segment 
that  terminates  at  node  101,  the  closest  waypoint.  Packets 
sent  into  this  tunnel  segment  are  addressed  at  the  network 
layer  to  node  101.  After  a  packet  emerges  from  the  seg¬ 
ment  tunnel  at  node  101  and  is  de-encapsulated,  node  101 
re-encapsulates  it  and  copies  into  another  segment  tunnel 
that  terminates  at  the  next  way  point,  node  103.  Similarly, 
node  103  pushes  the  packet  through  the  final  tunnel  seg¬ 
ment  to  node  105.  Note  that  nodes  along  the  tunnel  path, 
other  than  the  colluding  waypoints,  have  no  knowledge  of 
the  fact  that  they  are  supporting  this  covert  tunnel.  For  ex¬ 
ample,  because  of  encapsulation,  packets  forwarded  by  node 
133  (near  the  bottom  of  the  figure)  appear  to  be  ordinary 
packets  sent  by  node  101  to  103. 

In  the  extended  in-band  wormhole  attack  [19],  rather  than 
copying  their  own  one-hop  packets  into  the  tunnel,  nodes 
102  and  105  copy  into  the  tunnel  one-hop  packets  promis¬ 
cuously  overhead  emanating  from  one  or  more  of  their  real 
neighbors.  When  these  packets  emerge  from  the  far  end  of 
the  tunnel,  the  receiving  attacker  rebroadcasts  them.  This 
creates  the  illusion  that  the  attackers’  own  neighbors  are 
directly  connected.  For  example,  nodes  106  (a  neighbor  of 
102)  and  109  (a  neighbor  of  105)  will  hear  each  other’s  trans¬ 
missions  and  believe  they  are  directly  connected.  This  form 
of  wormhole  can  be  used  to  create  a  mesh  of  wormhole  links 
between  their  respective  sets  of  neighbors. 

2.2  Practical  Assumptions 

We  envision  our  tunnel  localization  algorithms  as  being  in¬ 
corporated  into  a  cooperative  intrusion  detection  system  [24] . 
In  such  a  system,  nodes  throughout  a  MANET  are  recruited 
to  serve  as  intrusion  detection  sensors.  To  support  tunnel  lo¬ 
calization,  we  require  that  each  recruited  node  keeps  logs  of 
recent  packet  transmission  times  and  destination  addresses 
and  transfer  excerpts  from  these  logs  on  demand  to  a  desig¬ 
nated  correlation  node  when  a  wormhole  attack  is  suspected. 
We  also  assume  that  all  packet  transmission  logs,  including 
those  submitted  by  attacking  nodes,  are  correct.  Although  a 
cooperative  intrusion  detection  system  that  is  deployed  op¬ 
erationally  must  account  for  the  possibility  that  attacking 
nodes  may  deliberately  report  erroneous  transmission  logs, 
addressing  that  threat  is  beyond  the  scope  of  this  paper. 

To  an  attacker,  the  primary  value  of  a  wormhole  attack  is 
that  it  attracts  traffic,  which  the  attacker  can  control  at  an 
opportune  time  in  the  future,  e.g.,  by  discarding,  delaying, 
or  damaging  packets  before  forwarding  them.  Consequently, 
a  wormhole  that  persists  is  of  greater  threat  than  a  wormhole 
that  exists  momentarily  or  intermittently,  because  it  allows 
the  adversary  to  lie  in  wait.  As  a  result,  for  the  defender,  de¬ 
tecting  the  onset  of  a  wormhole  attack  immediately  is  much 
less  important  than  detecting  continuing  wormhole  activ¬ 
ity  reliably  and  accurately.  In  this  regard,  wormholes  and 
other  attacks  on  routing  protocols  pose  a  different  kind  of 
threat  than  host-penetration  attacks  in  which  a  single  ma¬ 
licious  packet  may  cause  substantial  damage  and  must  be 
detected  immediately.  In  this  vein,  we  make  the  simplifying 
assumption  that  a  wormhole  that  poses  a  significant  threat 
will  persist  and  that  its  covert  tunnel  path  will  remain  sta¬ 
ble  for  at  least  one  period  of  sufficient  duration  to  log  the 


3 


Attack 

Ti  T2 

Path 

Pe 

Validation 

Alarm 

- > 

Estimation 

- > 

Figure  2:  In-band  Wormhole  Tunnel  Localization  System:  If  attack 
is  detected,  the  Attack  Alarm  block  produces  suspected  tunnel  end¬ 
points  Ti  and  T®  Then,  the  Path  Estimation  block  gives  the  most 
likely  tunnel  path  Pe,  and  the  Validation  block  checks  whether  Pe  is 
being  used  as  a  tunnel  path  and  makes  a  decision. 


number  of  packet  transmission  events  required  by  our  tunnel 
localization  algorithm. 

2.3  Tunnel  Localization  System 

Our  conceptual  model  for  an  in-band  wormhole  tunnel  lo¬ 
calization  system  combines  our  localization  algorithms  with 
other  techniques.  As  illustrated  in  Fig.  2,  the  localization 
system  consists  of  three  functional  blocks:  Attack  Alarm , 
Path  Estimation ,  and  Validation. 

For  the  Attack  Alarm  block,  we  assume  that  by  using 
an  existing  technique,  the  presence  of  a  wormhole  attack 
can  be  detected  by  victims  whose  traffic  travels  through  the 
wormhole  link.  For  example,  victims  may  be  able  to  tell  that 
an  attack  is  underway  because  of  the  statistical  distribution 
of  round-trip  times  measured  through  paths  that  utilize  the 
wormhole  link  [19,25],  the  power  spectral  density  of  inter- 
Hello  message  arrival  times  received  through  the  link  [13], 
or  other  indicators.  We  further  assume  that  such  techniques 
will  also  identify  the  endpoints  of  the  wormhole  link.  For 
a  self-contained  wormhole,  which  we  will  focus  on  here  for 
simplicity,  these  nodes  are  also  the  tunnel  endpoints.  So 
when  an  attack  is  detected,  the  Attack  Alarm  block  identifies 
tunnel  endpoints  and  initiates  the  Path  Estimation  block. 

The  Path  Estimation  block  employs  the  tunnel  path  es¬ 
timation  algorithm  presented  in  Section  4.  Initiated  by  the 
Attack  Alarm  block,  this  block  estimates  the  most  likely 
tunnel  path  among  all  possible  paths  between  two  suspected 
endpoints. 

The  Validation  block  receives  the  tunnel  path  estimate 
from  the  Path  Estimation  block,  and  uses  the  detection  algo¬ 
rithm  proposed  in  Section  3  to  check  whether  the  estimated 
path  is  being  used  as  an  in-band  wormhole  tunnel.  If  the 
estimated  path  is  judged  to  be  innocent,  then  the  Validation 
block  declares  ‘no  attack’;  otherwise,  it  declares  ‘attack’  and 
identifies  the  tunnel  path. 

In  the  localization  system,  the  path  estimation  algorithm 
is  used  earlier  than  the  validation  algorithm  for  a  single  path. 
However,  we  deal  with  the  single  path  validation  problem 
first,  in  Section  3,  because  it  gives  the  intuition  behind  the 
tunnel  path  estimation  algorithm. 

2.4  Mathematical  Model 

2.4.1  Notation 

The  transmission  timing  at  a  set  of  nodes  is  modeled  as 
point  processes.  We  use  uppercase  bold  letters  (e.g.,  S) 
to  denote  point  processes  and  the  corresponding  lowercase 
bold  letters  (z.e.,  s)  to  denote  their  realizations.  For  a  point 
process  S,  we  use  S(k)  to  denote  the  random  variable  corre¬ 
sponding  to  the  kth  transmission  epoch,  and  s(k)  its  realiza¬ 


tion.  Given  two  realizations  of  point  processes  (ai,  <22, . . .) 
and  (61,  62, . . .),  ©  is  the  superposition  operator  defined  as 
(ak)kLi  ©  (bk)kL  1  =  (ck)kL  1,  where  a  <  c2  <  •  •  •  and 
{ak}kLi  U  {bk}kL\  —  {ck}kL l-  Given  a  realization  s,  we  use 
S  to  denote  the  set  of  elements  in  this  realization 

2.4.2  Information  flow  and  Observation  Model 

We  assume  that  the  MANET  carries  information  flows, 
and  the  wormhole  attracts  certain  flows  through  its  tunnel. 
We  assume  that  these  flows  have  delay  constraints  such  that 
packets  of  such  flows  must  be  forwarded  by  intermediate 
nodes  within  certain  deadlines.  The  notion  of  information 
flow  with  a  bounded  delay  constraint  can  be  formally  defined 
as  below. 

Definition  1.  Let  Fi  denote  the  point  process  correspond¬ 
ing  to  the  transmission  epochs  at  relay  node  Ri.  Then 
the  sequence  of  processes  (Fi, . . . ,  Fn)  forms  an  information 
flow  with  bounded  delay  A  if  for  every  realization  £ \  {i  = 
1, . . . ,  n),  there  exist  bijections  gi  :  T \  —>  Ti+i  (i  =  1, . . . ,  n— 
1)  such  that  0  <  gfis)  —  s  <  A  for  all  s  E  3© 

The  bijection  gi  maps  the  transmission  timing  of  a  packet 
in  Ri  to  that  of  the  same  packet  in  Ri+i.  The  bijection 
condition  means  packet  conservation ,  and  gfls)  —  s  G  [0,  A] 
ensures  causality  and  a  maximum  delay  A. 

In  practice,  a  node  can  multiplex  different  traffic  in  its 
transmissions.  It  can  also  introduce  dummy  transmissions 
to  confuse  the  intrusion  detection  system.  In  addition,  if  a 
packet  is  dropped  in  the  middle  of  the  path,  then  the  packet 
is  not  a  part  of  an  information  flow.  Therefore,  timing  traces 
at  monitored  nodes  may  include  an  information  flow  and 
some  other  transmissions  to  which  we  refer  as  chaff  noise. 

Under  the  hypothesis  that  a  set  of  nodes  Ri  forms  a  worm- 
hole  tunnel,  the  observed  transmission  epochs  Si  at  Ri  will 
then  be  a  superposition  of  an  information  flow  Fi  and  chaff 
noise  W p. 

Si  =  Fi  ®  Wi,  i  —  1, . . . ,  n,  m 

Fi+i  =  0*(F»)  i  =  1, . . . ,  n  —  1. 

Note  that  chaff  noise  is  not  subject  to  any  constraints  on 
information  flows  and  can  be  correlated  with  the  flows. 

In  this  paper,  we  mainly  consider  two  problems,  single 
path  validation  and  tunnel  path  estimation.  Their  mathe¬ 
matical  formulations  are  given  in  the  beginning  of  Section  3 
and  Section  4. 


3.  SINGLE  PATH  VALIDATION 

This  section  presents  the  detection  algorithm  for  the  Vali¬ 
dation  block,  which  detects  the  presence  of  a  wormhole  tun¬ 
nel  on  a  suspected  path.  The  algorithm  also  provides  the 
intuition  behind  the  tunnel  path  estimation  algorithm  pro¬ 
posed  in  Section  4. 

3.1  Single  Path  Validation  Problem 

Suppose  that  we  are  interested  in  detecting  whether  a  se¬ 
quence  of  nodes,  Ri,  R2, ... ,  Rn ,  forms  an  in-band  worm- 
hole  tunnel.  Let  Si  (i  =  1, . . . ,  n)  be  the  process  of  transmis¬ 
sion  timestamps  of  node  Ri.  By  observing  Si  (i  =  1, . . . ,  n) 
for  some  time  t  (t  >  0),  test  the  following  hypotheses: 

Ho  •  Si,  S2,  •  •  • ,  Sn  are  jointly  independent  ,  * 
Hi  :  (Si)?=1  contains  an  information  flow  '  ' 
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We  note  that  the  above  two  hypotheses  are  not  compli¬ 
mentary  in  general.  In  general,  a  flow  may  travel  a  subset 
of  relay  nodes,  say  only  Ri ,  R2,  and  R3.  In  that  case,  only 
timing  at  those  three  nodes  would  satisfy  (1).  In  practice, 
one  will  need  to  execute  a  sequence  of  the  tests  of  the  form 
(2),  starting  with  validating  first  whether  Ri  and  R2  carry 
a  flow.  If  positive,  we  then  verify  whether  Ri,  R2,  and  R3 
carry  a  flow  and  so  on. 

3.2  Fundamental  Limit  on  Consistent 
Detection 

Using  timing  information  alone  has  its  limit  in  detecting 
the  presence  of  an  information  flow  traveling  through  a  set 
of  relay  nodes.  Intuitively,  even  for  any  realization  of  jointly 
independent  transmission  epochs  (Ho  in  (2)),  the  decompo¬ 
sition  of  the  form  (1)  is  possible  if  the  rate  of  the  information 
flow  is  sufficiently  low.  Thus  the  detectability  of  the  worm- 
hole  from  timing  information  hinges  on  the  strength  of  the 
flow  being  sufficiently  strong.  We  therefore  need  the  notion 
of  chaff-to-traffic  ratio  (CTR)  under  Hi. 

Definition  2.  [15]  Given  the  realizations  of  an  informa¬ 

tion  flow  (fi)2=i  and  chaff  noise  (wt)”=i,  the  chaff-to-traffic 
ratio  (CTR)  is  defined  as 

n 

Z)|w4n[o,  t]  | 

CTR(t)  =  - , 

Yi  1(9^  UWi)  n  [0,  t]|  (3) 

i=  1 


3.3  Background:  Minimum  CTR  Flow 
Detection 

The  structure  of  the  proposed  detector  is  based  on  a  thresh¬ 
old  test  on  a  lower  bound  CTR(t)  on  the  true  CTR(t)  as 
defined  in  (3).  Specifically,  the  proposed  detector  takes  the 
following  form 

f  declare  Ho  (no  attack)  if  CTR(t)  >  r  ,  , 

|  declare  Hi  (attack)  if  CTR(t)  <  r 

To  establish  the  Chernoff  consistency  of  the  above  test, 
we  use  the  minimum  CTR  statistics.  Specifically,  given  the 
observed  transmission  epochs  (si)™=1,  we  construct  the  test 
statistic  by  the  following  optimization 


CTR(t)  =  min 

f i  ,w  1  :Si=f£©Wi~7-q 


n 

Eiw*n[°’  *ii 

i=  1 
n 

t] | 

i=  1 


(5) 


where  s*  =  L  ®  ~  Hi  stands  for  the  constraint  that  s* 

carry  a  flow  f \  with  bounded  delay  as  defined  in  Hi. 

We  will  delay  the  discussion  of  the  ways  of  obtaining  the 
above  optimization  with  a  linear  complexity  algorithm  to 
Section  3.4.  For  now,  we  assume  that  the  above  optimization 
can  be  easily  obtained  and  present  a  theoretical  justification 
for  the  detector  given  in  (4). 

In  [15],  assuming  that  the  timing  epochs  are  Poisson  pro¬ 
cesses,  it  is  shown  that,  under  Ho, 


CTR  =  limsup  CTR(t) 

t— >00 

where  |W»  fl  [0,  t\\  is  the  number  of  time  epochs  correspond¬ 
ing  to  the  chaff  packets  at  node  Ri  within  the  time  period 
[0,  t]  and  |(Ti  U  Wi)  fl  [0,  t]  |  the  total  number  of  transmission 
epochs  at  node  Ri  during  the  same  time. 

It  was  shown  in  [15]  that  flows  with  CTR  greater  than 
a  certain  value  can  be  hidden  to  avoid  the  detection.  We 
therefore  need  the  notion  of  Chernoff-consistency  [21]. 

Definition  3.  Let  St  be  a  detector  that  uses  all  timing  data 
up  to  time  t.  The  detector  St  is  called  r -consistent  (r  G 
[0,  1])  if  it  is  Chernoff-consistent  for  all  the  information 
flows  with  CTR  bounded  almost  surely  by  r.  In  other  words, 
the  false  alarm  probability  Pp(^t)  and  the  miss  probability 
Pm (St)  satisfy  the  following: 

1.  lim  PF(St)  =  0  for  any  (S i)™=1  under  Ho] 

t— >00 

2.  sup  lim  Pm  (St)  =  0,  where 

(s i)?=1ev  £^°° 

V  =  {(S;)7=i  :  (S;)7=i  contains  an  information  flow, 
and  limsupCTR(t)  <  r  a.s.}. 

t— >00 

The  consistency  of  a  detector  is  defined  as  the  supremum 
of  r  such  that  the  detector  is  r-consistent. 

Consistency  of  the  detector  is  the  supremum  of  the  frac¬ 
tion  of  chaff  packets  the  detector  can  tolerate.  Therefore, 
higher  consistency  means  that  the  detector  is  more  robust 
to  chaff  noise.  In  what  follows,  we  will  present  a  detection 
algorithm  and  establish  its  Chernoff  consistency. 


3  T0  G  (0, 1)  s.t.  lim  CTR(t)  =  r0  almost  surely  (6) 

t— >00 

Furthermore,  under  Hi,  if  CTR  is  less  than  r0  almost  surely, 
then 

lim  sup  CTR(t)  <  CTR  <  rG  almost  surely  (7) 

t— >00 

Therefore,  if  we  choose  the  detection  threshold  in  (4)  as  r0—e 
with  sufficiently  small  positive  e,  then  the  detector  is  r0  —  e 
consistent.  What  is  left  is  a  way  to  obtain  CTR(t)  in  (5). 

3.4  Computation  of  Minimum  CTR 

The  algorithm  that  computes  the  above  statistic  is  first 
proposed  in  [15].  Referred  to  as  Multi-Bounded  Delay  Relay 
(MBDR),  this  algorithm  partitions  optimally  the  received 
traces  s*  into  the  flow  components  f \  and  the  chaff  compo¬ 
nents  w i,  where  the  flow  components  satisfy  the  bounded 
delay  constraint.  Here  we  present  MBDR  assuming  first 
that  there  is  no  timing  error  in  the  transmission  epoch  mea¬ 
surements.  MBDR  works  as  follows: 

Given  the  measurements  (sj)^=1: 

1.  Match  every  packet  at  time  ti  in  si  with  the  first  un¬ 
matched  packet  t2  in  [ti,  ti  +  A]  in  S2,  conditioned  on 
that  £2  has  a  match  in  S3. 

2.  For  i  =  2, ... ,  n  —  1,  match  the  packet  ti  in  s*  with 
the  first  unmatched  packet  U+ 1  in  [ti,  ti  +  A]  in  Si+i, 
conditioned  on  that  ti+ 1  has  a  match  in  s*+2  (assume 
every  packet  in  sn  has  a  match). 

3.  After  trying  to  match  all  the  packets  in  si,  label  all 
the  unmatched  packets  as  chaff. 
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chaff 

ti  4. 


(a)  Step  1 

Figure  3:  MBDR 


Figure  4:  Damage  from  Clock  Skews. 


For  example,  consider  the  two-hop  case  illustrated  in  Fig.  3. 
To  match  t\  G  Si,  MBDR  first  tries  to  find  a  match  for  1 2. 
However,  MBDR  cannot  match  t\  to  £2,  because  £2  has  no 
match  in  S3.  Then,  MBDR  tries  to  find  a  match  for  £3  G  S2, 
which  is  the  next  unmatched  packet  in  [ti,  t\  +  A]  in  S2. 
Since  £3  can  be  matched  with  1 4  G  S3,  t\  is  matched  with  1 3. 

If  £3  does  not  have  a  match  in  S3,  MBDR  will  try  to  match 
t\  with  the  next  unmatched  packet  in  [ti ,  1 1  +  A]  in  S2.  If 
there  are  no  more  packets  left  in  that  interval,  MBDR  will 
label  1 1  as  chaff. 

For  implementation  of  MBDR,  please  refer  to  Table  5  in 
[15].  The  complexity  of  MBDR  is  0(n2\Si\),  which  is  linear 
with  repect  to  the  number  of  observations  [15]. 

3.5  Minimum  CTR  Detection 
with  Timing  Synchronization 

In  this  section,  we  introduce  Minimum  CTR  Detection 
with  Timing  Synhronization  (MCTRD-TS),  an  in-band  worm- 
hole  tunnel  detection  algorithm  robust  to  clock  skew. 

Clock  skew  can  severely  degrade  the  operation  of  MBDR. 
Fig.  4  illustrates  an  example  of  such  damage.  The  empty 
circles  represent  the  realizations  of  an  information  flow  un¬ 
der  the  perfect  clock  synchronization  assumption,  and  grey 
circles  in  S2  and  S3  represent  the  measurements  with  the 
presence  of  clock  skew.  The  arrows  show  how  the  clocks  of 
node  2  and  node  3  are  different  from  node  1.  Based  on  er¬ 
rorless  measurments,  MBDR  should  claim  that  there  is  no 
chaff.  However,  the  measurements  with  timing  errors  make 
MBDR  falsely  declare  that  all  packets  are  chaff.  This  exam¬ 
ple  shows  the  need  to  take  care  of  clock  skew. 

Because  unrestricted  clock  skew  would  make  the  problem 
intractable,  we  suppose  that  clock  differences  between  nodes 
are  bounded  by  a.  Given  the  measurements  with  unknown 
timing  errors,  it  is  impossible  to  calculate  the  exact  value 
of  CTR(£).  However,  if  the  measurements  are  adjusted  ac¬ 
cordingly,  we  can  still  use  them  for  detection. 

Fig.  5  describes  our  approach  with  a  two-hop  example. 
Grey  circles  are  the  measurements  with  timing  errors.  First, 
we  increase  every  timestamp  in  by  (i  —  T)  a  and  denote 
the  modified  measurements  by  (s*)f=1.  If  Si,  S2,  and  S3 
are  independent  point  processes,  then  so  are  Si,  S2,  and  S3. 


Figure  5:  MCTRD-TS 


Table  1:  Minimum  CTR  Detection  with  Timing  Synhronization 
(MCTRD-TS) 


MCTRD-TS(si,  .  .  .  ,  sn,  A): 


for  i  =  1  :  n 
for  j  =  1  :  | Si  | 

Si U)  <-  *i(j)  +  (i  -  l)a 
end 
end 


CTR  <-  MBDR(si, .  .  .  ,  sn,  A  +  2a) 


return 


{ 


n  1 

Ho 


if  CTR  <  r 
o.w.; 


On  the  other  hand,  if  (s *)f=1  were  drawn  from  Hi,  then  the 
above  adjustment  recovers  the  causality  of  information  flows, 
which  could  have  been  broken  by  clock  skew.  In  addition, 
it  can  be  easily  checked  that,  after  the  adjustment,  informa¬ 
tion  flows  satisfy  the  delay  constraint  A  +  2a.  Therefore, 
we  can  regard  (s i)f=1  as  our  new  measurements  without 
timing  errors,  in  which  transmission  delay  is  bounded  by 
A  +  2 a.  Based  on  this  argument,  MCTRD-TS  with  thresh¬ 
old  r  works  as  follows:  Given  the  measurements  (s i)™=1: 

1.  For  i  —  2 increase  every  timestamp  in  s \  by 
[i—  l)a.  Denote  the  modified  measurements  by  (s i)™=1. 

2.  Apply  MBDR  with  delay  constraint  A  +  2a  to  the 
modified  measurements  (si)™=1,  and  calculate  the  test 
statistic  CTR(£). 

3.  If  CTR(£)  >  r,  declare  Ho  (no  attack);  otherwise,  de¬ 
clare  Tii  (attack). 

Implementation  of  MCTRD-TS  is  given  in  Table  1.  Its 
computational  complexity  is  same  as  that  of  MBDR,  0(n 2  |S  1 1), 
which  is  linear  with  respect  to  the  number  of  observations. 
The  following  states  the  consistency  of  MCTRD-TS. 

Theorem  1.  Assume  that  (Si)™=1  under  Ho  are  Poisson 
processes.  Let  r0  be  the  value  to  which  CTR(t)  converges 
almost  surely  under  Ho.  Then,  for  r  less  than  r0,  MCTRD- 
TS  with  threshold  r  is  r-consistent. 

Sketch  of  Proof:  Denote  MCTRD-TS  with  threshold  r  by 
St.  Under  Ho,  r  <  r0  and  (6)  imply  that  lim  Pp(^t)  =  0 

t— >00 

for  (S i)i=i  under  Ho. 
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Table  2:  Simulation  Parameters 


n 

the  number  of  processes 

A 

the  rate  of  Sj  (i  =  1,  ...  ,n) 

a 

maximum  clock  difference 

A 

maximum  delay 

fc 

CTR  of  the  traffic  under  Ti\ 

Under  Hi,  if  CTR  <  r  almost  surely,  then  (7)  implies 
that  lim  Pm  (St)  =  0.  Therefore,  5t  is  T-consistent.  ■ 

t— >OG 

Furthermore,  from  theorem  3.2  in  [15],  it  can  be  shown 
that  T0  is  the  supremum  of  consistency  we  can  achieve  by 
adjusting  the  threshold  of  MCTRD-TS. 

Theorem  1  characterizes  the  detection  performance  and 
the  limit  of  MCTRD-TS.  Under  the  Poisson  assumption, 
we  can  set  r  to  be  r0  —  e  for  small  positive  e  and  achieve 
(t0  —  e) -consistent  detector.  Even  in  practical  situations,  r0 
in  theorem  1  can  be  a  good  standard  for  a  threshold.  Ex¬ 
perimental  results  in  Section  3.7  address  that  r0  is  a  lower 
bound  for  CTR(t)  of  VoIP  traffic  under  Ho,  when  t  is  suffi¬ 
ciently  large.  Hence,  even  for  VoIP  data,  setting  r  to  be  r0 
gives  us  a  T0-consistent  detector. 

Suppose  that  the  maximum  allowable  false  alarm  proba¬ 
bility  ft  is  given  and  we  aim  to  minimize  the  miss  detection 
probability.  If  we  can  acquire  a  large  number  of  sample  val¬ 
ues  1  of  CTR(t)  under  Ho,  we  can  set  r  as  follows. 

r  =  sup{x  :The  fraction  of  CTR(t)  with  CTR(t)  <  x  (8) 
is  less  than  or  equal  to  ft.} 

where  supremum  is  taken  to  maximize  the  threshold  and,  in 
turn,  minimize  the  miss  detection  probability. 

3.6  Performance  Analysis:  Simulations 

This  section  presents  the  simulation  results  of  MCTRD- 
TS  using  Poisson  traffic.  Table  2  contains  the  explanation 
about  simulation  parameters.  In  simulations,  Poisson  pro¬ 
cesses  are  used  for  transmission  processes  of  nodes,  and  the 
transmission  delay  is  uniformly  distributed  in  [0,  A]. 

Clock  skew  uncertainties  are  represented  by  independent 
and  identically  distributed  random  variables  Ui,  U2,  ■  ■ . ,  Un, 
uniformly  distributed  in  [0,  a].  We  add  Ui  to  every  times¬ 
tamp  of  the  zth  node  to  emulate  the  effects  of  clock  skews. 

Fig.  6  contains  receiver  operating  characteristics  (ROCs) 
of  MCTRD-TS  with  different  number  of  observations2 .  When 
the  number  of  observations  increases,  the  ROC  moves  closer 
to  the  upper  left  corner  (i.e.,  zero  error  probabilities)  as 
expected  from  theorem  1. 

3.7  Performance  Analysis:  Experimental 
Results 

This  section  presents  the  experimental  results  for  MCTRD- 
TS  in  a  network  testbed. 

1  Sample  values  can  be  collected  by  applying  MCTRD- 
TS  to  many  sets  of  Ho  traces.  For  example,  assume  that 
we  have  a  normal  traffic  covering  a  sufficiently  long  time 
interval.  Then,  we  can  synthesize  Ho  traffic,  based  on  the 
approximation  that  traces  from  disjoint  time  intervals  are 
independent.  If  we  are  not  able  to  acquire  such  traffic,  we 
can  instead  use  a  good  synthetic  traffic  model  (e.g.,  renewal 
process  with  heavy  tail  interarrival  time). 

2 100  packets  per  node  means  that  MCTRD-TS  uses  100 
packets  per  node  for  each  detection  trial. 


Figure  6:  ROCs  of  MCTRD-TS  with  different  number  of  observations: 
n  =  6,  A  =  14,  A  =  0.5,  fc  =  0.2,  a  =  0.1,  10,000  Monte  Carlo  runs. 


Wormhole  Link 
(Shortcut  Illusion) 


Figure  7:  Test  Topology 


3. 7. 1  Test  Environment 

We  evaluated  MCTRD-TS  for  wormhole  tunnel  localiza¬ 
tion  accuracy  by  using  it  to  process  data  generated  in  a 
network  testbed  at  the  Army  Research  Laboratory  (ARL). 
The  testbed  is  based  on  Naval  Research  Laboratory’s  Mobile 
Ad-hoc  Network  Emulator  (MANE)  [1].  A  MANE  system 
consists  of  a  collection  of  Linux-based  test  nodes  and  one  or 
more  emulation  servers  that  are  interconnected  via  Ether¬ 
net.  These  systems  are  logically  arranged  in  a  hub  and  spoke 
configuration  such  that  all  traffic  between  test  nodes  must  be 
relayed  by  an  emulation  server.  The  emulation  servers  model 
the  geographic  positioning  and  movement  of  test  nodes,  and 
determine  whether  packets  sent  between  them  should  be  re¬ 
layed  transparently  or  dropped  as  a  function  of  emulated 
distance,  transmission  power,  noise,  and  other  factors. 

Our  experiment  used  12  test  nodes  equipped  with  the  Fe¬ 
dora  Core  3  operating  system  and  the  OLSR  ad  hoc  routing 
daemon  supported  by  olsr.org  [2].  The  MANE  testbed  was 
configured  to  position  these  nodes  in  the  U-shaped  topology 
depicted  in  Fig.  7.  Here,  the  path  (2,6,...,  12,  5)  can  be  in¬ 
terpreted  as  the  tunnel  path  estimate  given  by  the  Path  Es¬ 
timation  block  of  the  localization  system.  Under  7Yi ,  nodes 
2,  1,3,  and  5  were  configured  to  act  as  wormhole  attackers. 
Nodes  2  and  5  were  used  as  tunnel  endpoints,  with  nodes  1 
and  3  acting  as  relays,  as  explained  in  Section  2.1. 

Each  of  these  nodes  runs  a  wormhole  attack  tool  that  uses 
the  vtun  utility  [4]  to  create  wormhole  tunnels.  Tunnels 
may  be  configured  to  use  either  unreliable  (UDP)  or  reliable 
(TCP)  transport  layers.  Because  the  cumulative  effect  of 
packet  loss  over  long  tunnel  path  can  prevent  a  wormhole 
link  from  stabilizing,  making  the  attack  ineffective,  our  tests 
used  TCP-based  tunnels. 

In  addition  to  the  OLSR  protocol  messages  sent  between 
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Table  3:  Packet  Loss  Probability 


1000  observations  (per  node),  A  =  50ms,  a  =  40ms 


Link 

Prob 

Link 

Prob 

Link 

Prob 

2  -  6 

0.0006 

1  -  11 

0.0021 

3  -  10 

0.0526 

6  -  8 

0.0012 

11  -  7 

0.0291 

10  -  12 

0.0055 

8  -  4 

0.0007 

7  -  9 

0.0033 

12  -  5 

0.0433 

4  -  1 

0.0318 

9  -  3 

0.0193 

nodes  2  and  5,  we  created  a  flow  of  synthetic  application  traf¬ 
fic  between  these  nodes.  Both  kinds  of  traffic  are  covertly 
forwarded  by  the  attackers  through  the  wormhole  tunnel. 
To  create  this  traffic,  we  used  NRL’s  Real-Time  Application 
Representative  (RAPR)  [3] .  We  configured  RAPR  to  gener¬ 
ate  a  bursty  flow  of  UDP  packets  resembling  voice  over  IP 
(VoIP)  traffic. 

3. 7.2  Results  and  Analysis 

We  evaluated  MCTRD-TS  using  a  self-contained  in-band 
wormhole.  However,  we  anticipate  that  MCTRD-TS  would 
exhibit  similar  performance  for  a  tunnel  used  in  an  extended 
in-band  wormhole. 

The  objective  of  MCTRD-TS  is  to  detect  the  presence  of 
an  information  flow  in  the  eleven-hop  path  (2,  6,  ... ,  12,  5). 

The  experimental  setting  for  each  hypothesis  is  as  follows. 
Under  7-fo,  each  node  transmits  VoIP  packets  independently 
from  other  nodes.  Under  Hi,  node  2,  node  1,  node  3,  and 
node  5  are  attackers,  and  they  form  the  eleven-hop  in-band 
wormhole  tunnel  described  above.  Furthermore,  as  illus¬ 
trated  in  Fig.  7,  a  VoIP  interference  flow  having  the  same 
rate  as  the  tunnel  flow  is  injected  on  the  path  (8,  4,  1,  11) 
thereby  making  the  experiment  more  realistic.  Under  Hi, 
TCP  tunnels  are  created  between  node  2  and  node  1,  be¬ 
tween  node  1  and  node  3,  and  between  node  3  and  node 
5.  As  explained  in  Section  2.1,  when  the  intermediate  at¬ 
tackers,  node  1  and  node  3,  receive  packets  from  one  TCP 
tunnel  and  send  them  through  the  next  TCP  tunnel,  de¬ 
encapsulation  and  re-encapsulation  occur.  It  was  occasion¬ 
ally  observed  that,  during  this  process,  two  or  more  TCP 
packets  merge  into  a  bigger  TCP  packet.  The  effect  is  simi¬ 
lar  to  introducing  chaff  packets. 

Observations  for  detection  consist  of  the  timestamps  of 
TCP/UDP  data  packets  and  OLSR  control  packets.  From 
every  node  except  node  5,  we  gather  the  transmission  tim¬ 
ings  of  every  packet  with  a  non-zero  length  payload,  whose 
next  hop  address  includes  the  node’s  next  hop  in  the  sus¬ 
pect  path.  From  node  5,  we  collect  the  timings  of  received 
packets  with  a  non-zero  length  payload. 

In  our  experiment,  the  link  connectivity  is  modeled  by 
the  Free  Space  Path  Loss  (FSPL)  propagation  model.  In 
this  setting,  every  link  has  a  certain  packet  loss  probability. 
The  packet  loss  probabilities  of  one-hop  links  in  the  suspect 
path  are  given  in  Table  3.  Note  that  lost  packets  will  also  act 
as  chaff  and,  furthermore,  will  trigger  TCP  retransmissions. 

Fig.  8  is  the  plot  of  CTRs  calculated  by  MCTRD-TS,  un¬ 
der  Ho  and  Hi  respectively,  using  1,000  packets  per  node. 
The  CTR  value  of  index  i  represents  the  CTR  calculated 
using  the  zth  set  of  data  consisting  of  1,000  packets  per 
node.  The  uppermost  plot  is  CTR  values  under  Ho,  the  bot¬ 
tom  one  is  CTR  values  under  Hi,  and  the  middle  straight 
line  represents  a  proper  threshold.  We  can  observe  that 
despite  the  packet  loss  and  the  presence  of  large  amount 
of  chaff  noise,  two  hypotheses  are  quite  separable.  When 
more  than  2,000  observations  per  node  were  used,  CTRs  for 
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Figure  8:  CTR  plots  of  MCTRD-TS:  Tio  rate  =  19.4  packet/sec,  Tii 
rate  =  18.2  packet/sec,  A  =  50ms,  a  =  40 ms,  and  the  number  of 
observation  is  1,000  packets  per  node. 


ROCs  for  different  number  of  observations.  A  =  50ms,  a  =  40ms 


Figure  9:  ROCs  of  MCTRD-TS  with  different  number  of  observations: 
A  =  50ms,  a  =  40ms.  1,500  Monte  Carlo  runs  for  1,000  packet/node 
case,  3,000  Monte  Carlo  runs  for  500  packet/node  case,  and  15,000 
Monte  Carlo  runs  for  100  packet/node  case. 

two  hypotheses  were  completely  separated.  When  we  ran 
MCTRD-TS  over  independent  Poisson  traffic  with  the  rate 
19.4  packet  per  sec,  CTRs  stayed  within  [0.75,  0.82]  range, 
which  is  much  lower  than  Ho  CTR  values  from  the  syn¬ 
thetic  VoIP  traffic.  This  implies  that  lim  sup  CTR  under  Ho 

t— >oo 

is  much  lower  when  the  transmission  processes  are  Poisson 
processes.  From  (6)  and  (7),  we  can  infer  that  the  detec¬ 
tor  is  more  robust  to  chaff  when  used  over  synthetic  VoIP 
traffic  than  Poisson  traffic.  This  argument  agrees  with  the 
claim  in  [15]  that  the  Poisson  assumption  provides  the  lower 
bound  on  the  actual  detection  performance. 

Fig.  9  contains  ROCs  of  MCTRD-TS  with  different  num¬ 
bers  of  observations.  ROCs  are  achieved  by  varying  the 
threshold  of  MCTRD-TS  from  0  to  1  while  computing  the 
false  alarm  probability  and  miss  detection  probability  for 
each  threshold.  The  comparison  of  ROCs  shows  that  a 
larger  number  of  observations  result  in  better  detection  per¬ 
formance. 

Table  4  shows  examples  of  setting  threshold  r,  and  the 
resulting  error  probabilities.  We  employed  (8)  in  section  3.5 
with  k  —  0.004.  There  exist  errors  due  to  the  lack  of  sample 
Ho  CTR  values.  From  the  table,  we  can  see  the  clear  trade¬ 
off  between  the  observation  time  and  detection  performance 
(also  observable  in  Fig.  9).  Note  that  the  observation  time 
depends  on  the  tunnel  stability  which  is  affected  by  the  node 
mobility.  Thus,  we  can  infer  how  the  mobility  of  nodes  may 


Table  4:  Error  Probability  versus  the  number  of  observations 


number  of  observations  per  node 

r 

Pf 

Pm 

100 

0.935 

0.006 

0.161 

500 

0.970 

0.005 

0.026 

1000 

0.978 

0.007 

0.003 

affect  detection  performance,  noting  that  tunnel  instability 
may  also  degrade  the  effectiveness  of  the  attack. 

4.  TUNNEL  PATH  ESTIMATION 

In  this  section,  we  present  the  tunnel  path  estimation  al¬ 
gorithm  that  is  used  in  the  Path  Estimation  block  of  the 
localization  system. 

4.1  Tunnel  Path  Estimation  Problem 

Let  G  =  (Af,  A)  be  a  directed  graph  representing  the 
MANET  topology,  and  assume  that  an  in-band  wormhole 
attack  exists.  Let  N  =  |A/"|,  and  Ri  (i  —  1, . . . ,  N)  denote 
the  nodes,  where  Ri  and  Rn  are  the  tunnel  endpoints,  (i,  j) 
is  in  A  if  and  only  if  Ri  can  send  packets  directly  to  Rj .  By 
observing  (S*)^  for  some  time  t  (t  >  0),  the  goal  is  to  find 
the  true  tunnel  path  (z.e.,  the  path  containing  an  informa¬ 
tion  flow)  among  all  possible  paths  from  R\  to  Rn- 

Note  that  the  above  formulation  assumes  that  we  start 
with  the  correct  tunnel  endpoints.  In  practice,  the  Attack 
Alarm  block  can  produce  false  alarms  or  identify  the  wrong 
tunnel  endpoints.  Even  in  that  case,  our  path  estimation 
algorithm  will  still  select  the  most  likely  path.  However,  the 
path  will  be  proved  innocent  in  the  Validation  block  with 
high  probability.  Hence,  we  focus  on  the  case  in  which  the 
decision  of  the  Attack  Alarm  block  is  correct.  Although  the 
clock  skew  problems  can  be  resolved  as  in  Section  3.5,  for 
simplicity,  we  assume  that  node  clocks  are  synchronized. 

4.2  Incremental  Optimal  Scheduling 

Before  presenting  the  tunnel  path  estimation  algorithm, 
we  introduce  a  new  minimum- CTR  calculation  method,  which 
is  used  as  a  building  block  of  the  path  estimation  algo¬ 
rithm.  Finding  the  minimum  CTR  is  equivalent  to  finding 
a  maximum  number  of  relays.  Here,  we  formally  define  a 
relay  as  a  sequence  of  timings  (ti)£=i,  U  E  Si,  satisfying 
ti  E  [U- 1,  ti- 1  +  A],  2  <  i  <  n  (i.e.,  satisfying  causality 
and  the  delay  bound).  Relays  (ai)™=1  and  (bi)™=1  are  said 
to  be  disjoint  if  ai  ^  bi,\/i.  And,  a  collection  of  disjoint 
relays  is  said  to  be  order-preserving  if  for  any  two  relays 
(cii)i= i,  (bi)i= i,  ai  <  bi  implies  ai  <  bi,  2  <  i  <  n. 

In  [15],  given  the  realization  of  transmission  processes, 
MBDR  is  shown  to  find  a  maximum  number  of  disjoint  re¬ 
lays  by  finding  the  earliest  3  order-preserving  relays.  How¬ 
ever,  if  we  run  MBDR  for  a  large  number  of  paths,  it  be¬ 
comes  inefficient  in  that  it  cannot  reuse  the  calculation  on 
the  shared  paths.  For  instance,  assume  that  we  want  to 
find  a  maximum  number  of  disjoint  relays  for  (si)™=1  and 
(sOri1.  Then,  it  is  natural  to  expect  that  there  would  be  a 
way  to  utilize  the  calculation  on  (s i)™=1  for  the  calculation 
on  (sOrJi1.  However,  in  case  of  MBDR,  the  calculation  on 
(sOS  cannot  benefit  from  the  calculation  on  (si)™=1  due 
to  its  recursive  characteristic.  To  improve  this  drawback,  we 

3Given  two  relays  (oi, . . . ,  an )  and  (fei , . . . ,  bn),  we  say 
that  (oi)”=1  is  earlier  than  (6i)™=1  if  3m  >  1  s.t.,  a*  < 
bi  for  1  <  i  <  m,  and  am  <  6m. 


propose  a  matching  algorithm,  called  Incremental  Optimal 
Scheduling  (IOS),  which  calculates  the  CTRs  of  increasing 
paths  while  benefiting  from  the  previous  calculations. 

Given  the  realizations  (s*)f=1,  IOS  finds  a  maximum  num¬ 
ber  of  disjoint  relays  for  each  (si)jL1?  2  <  k  <  n,  as  follows: 

1.  Set  L{i,  1)  =  (si(z)},  1  <  i  <  |Si|,  and  k  =  2. 

2.  Define  L{i,  k)  to  be  the  set  of  epochs  in  S&  which  can 
be  matched4  to  at  least  one  element  in  L(i,  k  —  1). 

3.  Find  the  earliest  order-preserving  relays  for  (s*)f=1; 

first,  find  the  earliest  relay  containing  si(l),  then  find 
the  earliest  order-preserving  relay  containing  si(2),  and 
repeat  this  until  we  reach  the  last  epoch  of  Si.  Based 
on  the  sets  1  <  i  <  |Si|,  1  <  j  <  k,  this  can  be 

done  by  finding  minimums  of  sets  (refer  to  lines  10-29 
in  Table.  5  in  Appendix  A). 

4.  After  the  matching  is  finished,  calculate  CTR  for  (s$) f=1 . 
If  the  timing  si(z)  is  contained  in  one  of  the  found 
relays,  then  remove  the  epochs  in  L(i,j),  1  <  j  < 
k,  which  are  earlier  than  the  relay;  otherwise,  make 

1  <  j  <  k,  empty. 

5.  If  k  =  n,  terminate;  otherwise,  k  <—  k  +  1  and  go  to  2. 

After  the  iteration  for  k  =  m  is  finished,  L(i,  j),  1  <  i  < 
|Si|,  1  <  j  <  m,  consists  of  the  epochs  t  E  Sj  which  can 
possibly  be  an  entry  of  the  IOS  relay  containing  si(z),  in  the 
later  iterations.  In  other  words,  if  t  E  Sj  is  not  in  L(i,j), 
then  t  can  never  be  in  the  IOS  relay  containing  si(z)  in  the 
later  iterations.  In  step  4,  epochs  which  no  longer  have  such 
possibility  are  removed  from  the  sets. 

IOS  attempts  to  find  the  earliest  order-preserving  relays, 
which  are  the  same  as  what  MBDR  finds  5.  The  rationale 
behind  the  above  paragraph  and  step  4  is  based  on  two  char¬ 
acteristics  of  MBDR  :  (i)  if  si(j)  is  not  contained  in  any  relay 
found  by  MBDR  over  (s*)^1,  then  it  is  not  contained  in  any 
relay  found  by  MBDR  over  (s*)^;  (ii)  if  MBDR  on  (s;)™^1 
finds  a  relay  (ai)™^1  and  MBDR  on  (s*)^  finds  a  relay 
(bi)iLi,  where  a%  =  ffi,  then  ai  <  bi,  1  <  i  <  m  —  1.  The 
implementation  of  IOS  is  given  in  Table  5  in  Appendix  A. 
The  following  theorem  states  the  optimality  of  IOS. 

Theorem  2.  For  any  realization  (si)™=1,  IOS  finds  a  max¬ 
imum  number  of  disjoint  relays. 

Sketch  of  Proof:  See  Appendix  B  ■ 

If  we  use  IOS  to  find  a  maximum  number  of  relays  for 
(sOSLi  and  (s*)^1,  the  calculation  for  (s*)^1  can  be  effec¬ 
tively  reduced  by  using  the  sets  L(i,j),  1  <  i  <  |Si  | ,  1  < 
j  <  n,  resulting  from  the  calculation  on  (s z)^=1.  We  denote 
such  calculation  by  IOS(T,  L,  sn+i)  =  (T,L,  CTR)  ,  where 
T  and  T  are  the  number  of  all  epochs  in  (si)^=i  and  (s*)^1 
respectively,  L(i,j ),  1  <  i  <  |Si |,  1  <  j  <  n  +  1,  are  new 
resulting  sets,  and  CTR  is  CTR  calculated  for  (s*)^1.  The 
complexity  of  IOS (T,L,  sn+i)  is  0(|Si  |(n  log  n))  (see  Ap¬ 
pendix  A.).  However,  if  we  use  MBDR,  since  it  does  not 
benefit  from  the  previous  calculation  on  (sj)^=1,  the  com¬ 
plexity  of  calculation  for  (si)^1  is  0(|Si|n2)  [15]. 

4a  E  Sz+i  can  be  matched  to  b  E  Si  iff  a  E  [b,  b  +  A]. 

5  It  is  shown  in  the  proof  of  theorem  2. 
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If  CTR  of  PA-  <  CTR  of  PB-,  take  PA\ 


Figure  10:  At  each  iteration,  Ri  looks  for  neighbors  which  have  an 
outgoing  arc  to  Ri  (Here,  A  and  B.).  Pa  and  Pb  are  survivor  paths 
of  A  and  B  calculated  in  the  last  iteration,  and  Pa'  and  PB/  are  their 
one-hop  extensions  toward  Ri.  If  CTR  of  PAr  is  lower  than  that  of 
PB / ,  then  Ri  sets  its  survivor  path  to  be  PA/  • 

4.3  Minimum-CTR  Tunnel  Path  Estimation 

Using  IOS  as  a  building  block,  we  propose  a  tunnel  path 
estimation  algorithm,  called  Minimum-CTR  Tunnel  Path 
Estimation  (MCTR-PE).  The  main  idea  is  that  every  node 
saves  one  survivor  path  having  itself  as  the  end  vertex  and 
Ri  as  the  start  vertex.  At  each  iteration,  Ri  sets  its  sur¬ 
vivor  path  to  be  the  best  path  among  one-hop  extensions  of 
its  neighbors’  survivor  paths  (extended  by  adding  Ri  as  the 
end  vertex).  The  path  with  the  minimum  CTR  is  regarded 
as  the  best  path,  where  CTR  for  each  extension  is  calculated 
by  IOS.  After  N  iterations,  MCTR-PE  returns  the  survivor 
path  of  Rn-  Fig.  10  illustrates  how  a  node  sets  its  survivor 
path  at  each  iteration.  The  rationale  behind  MCTR-PE  is 
that  the  path  with  lower  CTR  more  tends  to  contain  an 
information  flow  (be.,  more  tends  to  be  a  true  tunnel  path). 
Given  (s i)iLi,  MCTR-PE  works  as  follows: 

1.  Let  h  —  1.  For  i  —  2, . . . ,  N ,  let  Ii  =  {j  G  A f\(j,  i )  G 
A}.  Ri  saves  one  survivor  path  pi.  Initially,  pi  =  (1), 
and  pi  =  0,2^  1. 

2.  For  i  =  2, . . . ,  N,  sa vepi  intop*.  And,  for  i  =  2, . . . ,  N, 
let  Ci  =  { j  eli\i£  Pj  and  1  G  pj}. 

3.  For  i  =  2, . . . ,  N,  if  Ci  is  not  empty,  make  one- hop 
extension  of  each  pj,  j  G  Ci,  by  adding  i  as  the  end 
vertex.  Among  the  extended  paths,  pick  the  path  with 
the  minimum  CTR  found  by  IOS.  Save  the  selected 
path  into  pi. 

4.  Increase  h  by  1.  If  h  <  N,  go  to  the  step  2;  otherwise, 
return  the  survivor  path  of  Rn- 

The  implementation  of  MCTR-PE  is  given  in  table  6  in 
Appendix  A,  and  the  complexity  6  is  0(|Si||M|iV2  log  N). 

4.4  Performance  Analysis 

We  tested  MCTR-PE  simulating  the  network  topology 
shown  in  Fig.  11,  where  the  path  denoted  by  the  arrow  is 
the  in-band  wormhole  tunnel  path.  There  are  60  possible 
paths  from  R\  to  Rig .  We  set  every  node  to  transmit  at  the 
same  rate  (4  packets  per  sec),  and  the  delay  constraint  is 
0.5  sec.  A  transmission  process  of  a  node  not  on  the  tunnel 
path  is  independent  of  all  other  nodes.  Error  detection  prob¬ 
ability  7  versus  the  flow  strength  is  plotted  in  Fig.  12.  The 

6 Total  N  —  1  iterations  are  excuted,  and  in  each  iteration 
IOS  is  excuted  at  most  \A\  times. 

7Error  detection  probability  is  the  probability  that 
MCTR-PE  chooses  a  wrong  path. 


Figure  11:  Test  Topology  for  MCTR-PE 

Error  Detection  Probability  versus  Flow  to  Chaff  Ratio 


Flow  to  Chaff  Ratio 


Figure  12:  MCTR-PE  Results:  Error  Probability  versus  FCR.  For 
500  samples/node  case,  no  error  occurred  for  FCR  >  0.43.  For  100 
samples/node  case,  no  error  occurred  for  FCR  >  1.5. 


ratio 


|  {flow  packets}| 


on  the  tunnel  path,  denoted  by  Flow 


|  {chaff  noise}| 

to  Chaff  Ratio  (FCR),  is  used  as  the  metric  to  characterize 
the  flow  strength.  The  error  detection  propability  shows  an 
exponential  decay  as  FCR  increases,  and  when  500  samples 
per  node  are  used,  it  shows  reasonably  low  error  probability 
even  when  the  flow  strength  is  weak  (FCR  <  0.5).  In  addi¬ 
tion,  the  increase  in  the  number  of  observations  leads  to  a 
significant  decrease  in  the  error  detection  probability. 


5.  DISCUSSION 

While  the  presented  results  are  encouraging,  verifying  that 
the  MCTRD-TS  and  MCTR-PE  algorithms  can  identify  worm- 
hole  tunnels  accurately  under  more  realistic  conditions  will 
require  additional  research.  In  particular,  MCTR-PE  needs 
to  be  tested  with  more  realistic  traces  than  Poisson  traf¬ 
fic.  Both  algorithms  should  be  tested  in  larger  topologies, 
with  more  complex  background  traffic.  In  practice,  a  sus¬ 
pected  path  may  partially  overlap  with  many  other  flow 
paths.  Thus,  the  transmission  activities  of  groups  of  nodes 
along  the  path  may  be  correlated,  even  when  the  suspected 
path  is  innocent.  In  such  situations,  the  detection  of  the 
tunneled  traffic  becomes  more  difficult,  and  attaining  the 
detection  accuracy  in  Section  3.7  and  Section  4.4  will  likely 
require  increasing  the  number  of  observations  per  trial. 

As  noted  earlier,  we  have  assumed  that  the  tunnel  path  of 
a  persistent  wormhole  attack  will  remain  stable  for  at  least 
one  period  of  sufficient  duration  to  allow  logging  the  re¬ 
quired  number  of  packet  transmissions,  e.g.,  100-1000  pack¬ 
ets.  While  this  assumption  appears  to  be  a  reasonable  one 
in  general,  its  validity  depends  on  the  mobility  of  the  nodes. 
Regardless,  the  performance  of  MCTRD-TS  and  MCTR-PE 
should  be  evaluated  in  the  presence  of  network  mobility. 
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6.  CONCLUSION 

This  paper  presents  timing-based  algorithms  for  localiz¬ 
ing  in-band  wormhole  tunnels  in  MANETs,  and  proposes  a 
conceptual  model  for  a  tunnel  localization  system  that  com¬ 
bines  our  algorithms  with  existing  techniques  for  detecting 
the  presence  of  a  wormhole  attack.  We  believe  these  are  the 
first  algorithms  directed  at  identifying  such  tunnels  in  their 
entirety,  including  colluding  relay  nodes.  We  have  described 
their  mathematical  basis,  and  presented  performance  eval¬ 
uations  using  Poisson  traffic  and  data  from  a  MANET  em¬ 
ulation  testbed  that  included  synthetic  VoIP  traffic  and  an 
implementation  of  a  wormhole  attack.  Simulation  and  ex¬ 
perimental  results  indicate  that  the  algorithms  exhibit  high 
accuracy  given  an  opportunity  to  obtain  a  sufficient  num¬ 
ber  of  packet  observations,  and  are  robust  to  probabilistic 
packet  loss,  chaff,  and  clock  skew  uncertainty,  which  are  key 
characteristics  of  MANET  environments. 
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Table  5:  Incremental  Optimal  Scheduling  (IOS) 

IOS(si,  .  .  .  ,  sn,  A,  t): 

1:  for  i  =  1:1:  |§i|,  L(i,  1)  =  {S'i(z)}.  end. 

2:  for  j  =  1  :  1  :  n  —  1,  CTR(j)  *—  0.  end. 

3:  T  <—  \Si\,  k  <—  2. 

4:  While  k  <  n 
5:  T^T+  |Sfc|. 

6:  for  i  =  1:1:  |§i  | 

7:  L(i,  k)  <—  {x  E  S/e  :  [x  —  A,  x]  D  L(i,  k  —  1)  +  0} 

8:  end 

9:  for  j  =  1  :  1  :  k,  I(j)  0,  J(j)  0.  end.  /  <—  0. 

10:  for  zi  =1:1:  |Si| 

11:  cr  0,  Ui  <—  0. 

12:  for  j  =  2  :  1  :  k 

13:  Lj  •«—  {a:  £  L(i±,j)  :  a:  >  J(j)  and  x  >  Uj_i} 

14:  If  Lj  is  empty,  a  < —  1  and  break,  end 

15:  Uj  < —  min  Lj  . 

16:  end 

17:  If  <r  =  0 

18:  I(k)  Ufc. 

19:  for  j  m  k  —  1:— 1:2 

20:  I(j)  <-  min(Lj  D  [/(j  +  1)  -  A,  I(j  +  1)]). 

21:  end 

22:  for  j  =  2  :  1  :  k 

23:  L(n,  j)  <-  {cc  E  L(u,  j)  :  x  >  /(j)}. 

24:  end 

25:  ./<-/,/<-/  +  1. 

26:  else 

27:  for  j  =  1  :  1  :  fc,  0.  end. 

28:  end 

29:  end 

30:  CTR(/c  -  1)  <-  fc  <- fc  +  1. 

31:  end 

32:  return  CTR 

APPENDIX 

A.  IMPLEMENTATIONS 

The  implementations  of  IOS  and  MCTR-PE  are  given  in 
Table  5  and  Table  6  respectively.  IOS(T,  L,  sn+i)  executes 
lines  5-30  in  Table  5  once  for  k  =  n  +  1.  Let  A  be  the 
maximum  among  the  rates  of  si, . . . ,  sn+i,  and  assume  that 
the  measurements  are  ordered.  The  main  steps  of  IOS  are 
lines  13,  20,  and  23.  Since  \Lj\  <  nXA  on  average,  1  <  j  < 
n+l,  a  single  execution  of  three  lines  takes  O(logn).  Hence, 
the  complexity  of  IOS(T,  L,  sn+i)  is  0(|Si|(nlogn)). 

B.  PROOF  OF  THEOREM  2 

MBDR  in  [15]  finds  the  earliest  order-preserving  relays, 
and  it  was  proved  to  find  a  maximum  number  of  disjoint 
relays.  Let  (T? (k))k=i  be  the  ith  relay  found  by  IOS  over 
(Si)?=i,  and  (T7l(^))fc=:i  the  ^th  relay  found  by  MBDR.  We 
will  show  that  (T™(/c))J?=1  —  (XJf1  (fc))^=1 ,  Vi,  n. 

We  use  mathematical  induction.  When  n  —  2,  it  is  easy 
to  check  that  (Tj(k))l=1  =  (Tf(/c))^=1,  Vi.  Assume  that 
(T™ (k))k=1  =  Vi,  is  true  for  n  <  m  —  1.  Then, 

showing  (T/n(/c))^L1  =  (Tim(^))]tL1,  Vi,  concludes  the  proof. 
The  proof  for  (T™ (&))£+!  =  (Tim(^))^L1  is  given  below.  For 
i  >  2,  it  can  be  proved  in  the  same  manner  by  using  another 
induction  (i.e.,  assume  the  statement  is  true  for  i  <  b  —  1, 
and  prove  that  it  is  also  true  for  i  —  b.). 

Since  MBDR  finds  the  earliest  order-preserving  schedules, 
TT(1)  <  rr(l).  And,  if  TT(2)  >  Tr(2),  then 

fr(i)  <  rr(i)  <  rr(2)  <  fr(2)  <  fr(i)  +  a 

and  thus  (TT(1),  Tr(2),  Tr(3), . . . ,  Tr(ra))  is  earlier  than 


Table  6:  Minimum-CTR  Tunnel  Path  Estimation  (MCTR-PE) 
MCTR-PE(si,  .  .  .  ,  sat,  A,  t): 

1:  pi  <-  (1).  Ti  4-  |Si| 

2:  Li:  |Si|  X  1  array,  LRi,  1)  *  (si(i)},  1  <  i  <  |Si  |. 

3:  for  i  =  2  :  1  :  N 

4:  Pi  <-  (),  Ti  <-  0  I,  <-  {j  e  M\  (j,  i)  e  A} 

5:  Li:  |§i|  x  1  array,  Lfij,  1)  =  0,  1  <  j  <  |§i|- 

6:  end 
7:  h  =  1. 

8:  While  h  <  N 
9:  for  i  =  2  :  1  :  N 

10:  pi  <—  pi,  Ti  <—  ^ 

11:  Li  <-  Li 

12:  Ci  <—  (j  E  +  £  Pj  and  1  E  A'}- 

13:  end 

14:  for  i  =  2  :  1  :  N 

15:  if  Ci  /  0 

16:  for  all  j  E  Ci 

17:  (Tj ,  Lj ,  CTR, )  IO~S(T,-,  Ljt  Bi). 

18:  end 

19:  j*  arg  min  CTR7- 

jeCi  3 

20:  pi  extend(pj*  ,  f). 

21:  Ti  Li  ^  L,*. 

22:  end 

23:  end 

24:  h  <-  h  +  1 

25:  end 

26:  return  pat 

*extend(p7*  ,  i):  1-hop  extension  of  +,•*  ,  where  i  is  added  at  its  end. 

(T/71  (&))£!_!  contradicting  the  operation  of  MBDR.  Hence, 
fr(2)  <  rr(2),  and  similarly,  fr(ifc)  <  TF  (k),  1  <  k  <  m. 
Next,  we  show  T^ik)  <  Tim(/c),  1  <  k  <  m. 

When  IOS  finds  the  earliest  relay  containing  T^l)  (i.e., 
runs  lines  11-28  of  Table.  5),  J(j)  =  0,  1  <  j  <  m,  because 
fr(l)  <  rr(l).  Let  be  the  index  such  that  si(il)  = 
fr(l).  The  fact  that  (Tim (fc))^=1  is  a  relay  found  by  MBDR 
implies  T^/c)  G  L(w,k),  1  <  k  <  mn.  This  results  from  the 
induction  hypothesis  and  two  properties  of  MBDR:  (i)  if 
si(w)  is  not  contained  in  any  relay  found  by  MBDR  over 
(si)Iii  3  then  it  is  not  contained  in  any  relay  found  by 
MBDR  over  (s*)^;  (ii)  if  MBDR  on  (si)^1  gives  a  relay 
(aj)™^1  and  MBDR  on  (s*)^!  gives  a  relay  i,  where 

cli  =bi,  then  a\  <  bi,  1  <  i  <  m  —  1. 

Assume  that  timings  are  positive.  T^(k)  G  L(w,k),  1  < 
k  <  m,  implies  u\  =  0,  U2  =  min{x  G  L(w,2)  :  x  >  u\}  < 
T1m(2), . . . ,  Um  =  min{x  G  L(w1  m)  :  x  >  Um-i}  < 
because  Ui  <  T™(i)  <  T^ii  +  1),  1  <  i  <  m  —  1. 

Since  none  of  L(w,  k),  1  <  k  <  m  is  empty,  I(m)  =  um  < 
Tim(m),  in  line  18.  And,  in  line  20, 

I(m—  1)  —  min({x  G  L(w,m—  1)  :  a;  >  7zm-i}n[/(ra)— A,  /(m)]) 

The  set  on  the  right  side  is  nonempty,  and  if  7zm_i  G  [I(m)  — 
A,/(m)],  then  / (m  —  1)  =  7xm-i;  otherwise,  I (m  —  1)  = 
min(L(ie,  m  —  1)  fl  [/(m)  —  A,  /(m)])  <  Tim(m  —  1),  because 
1)  G  L(w,m  —  1)  and  7(m)  <  Tim(m).  In  both  cases, 

/(m  -  1)  <  Tim(rn  -  1),  and  similarly  I(k)  <  Tim(ife),  Vfc. 

On  the  other  hand,  (/(/c))fcLi  is  the  first  relay  found  by 
ISO,  meaning  that  (T1m(/c))^L1  —  Hence,  T1m(/c)  < 

rr(fc),  Vfc.  Therefore,  (Tr(/c))r=i  =  (frW)r=i-  ■ 
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